Bug(s) fixed: 166229, 166081

Bug Description: slapd crashes during SASL authentication
Reviewed by: Noriko (Thanks!)
Branch: HEAD and Directory71RtmBranch
Fix Description: When we build cyrus-sasl on RHEL, we tell it to use
berkeley db for its sasldb database.  It uses whatever version of
berkeley db is installed in the system.  On RHEL3, this is usually
libdb-4.1.  However, at runtime, slapd uses 4.2, leading to conflicts.
This doesn't happen on RHEL4 because it already has 4.2 on it.  The db
is used to lookup auxiliary properties (auxprop) related to the user,
such as password or whatever.  This happens in sasl after the user is
looked up.  In our server, the way we use it, we don't care about these
auxprops, or we get them in another way.  If you don't tell sasl which
auxprop plugin you want to use, it tries to use all of them, which means
it will attempt to use the sasldb plugin, which will lead to the crash.
The solution is to add our own auxprop plugin which is just a dummy that
does nothing, and tell sasl to use our plugin.
Platforms tested: RHEL3, RHEL4
Flag Day: no
Doc impact: no

1 files changed, 54 insertions, 0 deletions

diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c
index a38d07e7..9f991204 100644
--- a/ldap/servers/slapd/saslbind.c
+++ b/ldap/servers/slapd/saslbind.c
@@ -95,6 +95,56 @@ void sasl_mutex_free(void *mutex)
  * sasl library callbacks
  */
 
+/*
+ * We've added this auxprop stuff as a workaround for RHDS bug 166229
+ * and FDS bug 166081.  The problem is that sasldb is configured and
+ * enabled by default, but we don't want or need to use it.  What
+ * happens after canon_user is that sasl looks up any auxiliary
+ * properties of that user.  If you don't tell sasl which auxprop
+ * plug-in to use, it tries all of them, including sasldb.  In order
+ * to avoid this, we create a "dummy" auxprop plug-in with the name
+ * "iDS" and tell sasl to use this plug-in for auxprop lookups.
+ * The reason we don't need auxprops is because when we grab the user's
+ * entry from the internal database, at the same time we get any other
+ * properties we need - it's more efficient that way.
+ */
+static void ids_auxprop_lookup(void *glob_context __attribute__((unused)),
+				  sasl_server_params_t *sparams __attribute__((unused)),
+				  unsigned flags __attribute__((unused)),
+				  const char *user __attribute__((unused)),
+				  unsigned ulen __attribute__((unused))) 
+{
+    /* do nothing - we don't need auxprops - we just do this to avoid
+       sasldb_auxprop_lookup */
+}
+
+static sasl_auxprop_plug_t ids_auxprop_plugin = {
+    0,           		/* Features */
+    0,           		/* spare */
+    NULL,        		/* glob_context */
+    NULL,        		/* auxprop_free */
+    ids_auxprop_lookup,	/* auxprop_lookup */
+    "iDS",			/* name */
+    NULL	/* auxprop_store */
+};
+
+int ids_auxprop_plug_init(const sasl_utils_t *utils __attribute__((unused)),
+                          int max_version,
+                          int *out_version,
+                          sasl_auxprop_plug_t **plug,
+                          const char *plugname __attribute__((unused))) 
+{
+    if(!out_version || !plug) return SASL_BADPARAM;
+
+    if(max_version < SASL_AUXPROP_PLUG_VERSION) return SASL_BADVERS;
+    
+    *out_version = SASL_AUXPROP_PLUG_VERSION;
+
+    *plug = &ids_auxprop_plugin;
+
+    return SASL_OK;
+}
+
 static int ids_sasl_getopt(
     void *context, 
     const char *plugin_name,
@@ -121,6 +171,8 @@ static int ids_sasl_getopt(
         if (LDAPDebugLevelIsSet(LDAP_DEBUG_TRACE)) {
             *result = "6"; /* SASL_LOG_TRACE */
         }
+    } else if (strcasecmp(option, "auxprop_plugin") == 0) {
+        *result = "iDS";
     }
 
     if (*result) *len = strlen(*result);
@@ -576,6 +628,8 @@ int ids_sasl_init(void)
 #endif
 #endif
 
+    result = sasl_auxprop_add_plugin("iDS", ids_auxprop_plug_init);
+
     LDAPDebug( LDAP_DEBUG_TRACE, "<= ids_sasl_init\n", 0, 0, 0 );
 
     return result;